On Wed, Jul 16, 2025 at 8:42 PM Greg Sabino Mullane <htamf...@gmail.com> wrote:
> On Wed, Jul 16, 2025 at 9:25 AM Amol Inamdar <amol....@gmail.com> wrote: > >> >> 1. NFS mount point is for /nfs-mount/postgres (and permissions locked >> down so that Postgres cannot create directories in here) >> 2. Postgres data directory is /nfs-mount/postgres/db >> 3. >> >> With secured NFS + AT-TLS setup Postgres will be able to write to >> data directory but not parent dir, however the file ownership information >> Postgres sees from the stat() call will not match the Postgres user in the >> container (even though the AT-TLS strict access control will ensure only >> the Posgres user can read/write to this directory) >> >> This thread is fascinating. It's like combining two of the most annoying > technologies in the world, NFS and SELinux, into something worse than > either of them. > > Many people use Docker, and NFS, and Postgres all the time. Stop trying to > push on a string. Conform your process to Postgres' fairly minimal and > sane requirements, rather than the other way around. > Unless "all databases must be stored on the mainframe, Because Mainframes Are Secure" is dogma in that shop, and there's no way the CISO will make an exception for some random program off the Internet. "Heck, it's probably got malware in it!!" -- Death to <Redacted>, and butter sauce. Don't boil me, I'm still alive. <Redacted> lobster!
